From fd831072695c7690c774af6f0ac64048b5e2bdc1 Mon Sep 17 00:00:00 2001 From: Vyronas Tsingaras Date: Tue, 21 Oct 2014 14:37:25 +0300 Subject: [PATCH 1/3] Specify in the response that we know of the new id-pkix-ocsp-extended-revoke extension defined by RFC6960. --- src/openssl/pki_ocsp_resp.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/openssl/pki_ocsp_resp.c b/src/openssl/pki_ocsp_resp.c index 8f756b0..6d92895 100644 --- a/src/openssl/pki_ocsp_resp.c +++ b/src/openssl/pki_ocsp_resp.c @@ -204,6 +204,14 @@ int PKI_X509_OCSP_RESP_add ( PKI_X509_OCSP_RESP *resp, } } + //We specify NID_id_pkix_OCSP_valid due to an error in OpenSSL's code, see http://marc.info/?l=openssl-users&m=138573884214852&w=2 + if (!OCSP_SINGLERESP_add1_ext_i2d(single, + NID_id_pkix_OCSP_valid, "", 0 ,0)) + { + PKI_log_err("Can not create \"extended revoke\" extension entry for response!"); + return PKI_ERR; + } + return PKI_OK; } From 6ad2281f626fa2096254038d1110974e49836971 Mon Sep 17 00:00:00 2001 From: Vyronas Tsingaras Date: Wed, 22 Oct 2014 14:44:29 +0300 Subject: [PATCH 2/3] Add API call to be able to set a PKI_TIME structure to a specific time. --- src/libpki/pki_time.h | 1 + src/openssl/pki_ocsp_resp.c | 2 +- src/openssl/pki_time.c | 13 +++++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/src/libpki/pki_time.h b/src/libpki/pki_time.h index b9bf07e..440e19a 100644 --- a/src/libpki/pki_time.h +++ b/src/libpki/pki_time.h @@ -8,6 +8,7 @@ PKI_TIME *PKI_TIME_new( long long offset ); void PKI_TIME_free_void( void *time ); int PKI_TIME_free( PKI_TIME *time ); +PKI_TIME *PKI_TIME_set(PKI_TIME *time, time_t new_time); int PKI_TIME_adj( PKI_TIME *time, long long offset ); PKI_TIME * PKI_TIME_dup ( PKI_TIME *time ); diff --git a/src/openssl/pki_ocsp_resp.c b/src/openssl/pki_ocsp_resp.c index 6d92895..01a847e 100644 --- a/src/openssl/pki_ocsp_resp.c +++ b/src/openssl/pki_ocsp_resp.c @@ -208,7 +208,7 @@ int PKI_X509_OCSP_RESP_add ( PKI_X509_OCSP_RESP *resp, if (!OCSP_SINGLERESP_add1_ext_i2d(single, NID_id_pkix_OCSP_valid, "", 0 ,0)) { - PKI_log_err("Can not create \"extended revoke\" extension entry for response!"); + PKI_log_err("Can not create \"id-pkix-ocsp-extended-revoke\" extension entry for response!"); return PKI_ERR; } diff --git a/src/openssl/pki_time.c b/src/openssl/pki_time.c index 0182a6f..afc6ccf 100644 --- a/src/openssl/pki_time.c +++ b/src/openssl/pki_time.c @@ -49,6 +49,19 @@ int PKI_TIME_free( PKI_TIME *time ) { return (PKI_OK); } +/*! + * \brief Sets the passed PKI_TIME to the provided time_t + */ + +PKI_TIME *PKI_TIME_set(PKI_TIME *time, time_t new_time) { + + if (!time) { + return NULL; + } + + return ASN1_GENERALIZEDTIME_adj(time, new_time, 0, 0); +} + /*! * \brief Adjusts the time by adding/subtracting the offset seconds from current value */ From 7287908c829b7b189d4f4b888807350d771f6069 Mon Sep 17 00:00:00 2001 From: Vyronas Tsingaras Date: Thu, 23 Oct 2014 08:28:44 +0300 Subject: [PATCH 3/3] Fix id-pkix-ocsp-extended-revoke extension handling Add it to responseExtensions and initialize it properly. --- src/openssl/pki_ocsp_resp.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/openssl/pki_ocsp_resp.c b/src/openssl/pki_ocsp_resp.c index 01a847e..63ec6fb 100644 --- a/src/openssl/pki_ocsp_resp.c +++ b/src/openssl/pki_ocsp_resp.c @@ -159,7 +159,7 @@ int PKI_X509_OCSP_RESP_add ( PKI_X509_OCSP_RESP *resp, OCSP_SINGLERESP *single = NULL; PKI_TIME *myThisUpdate = NULL; - + X509_EXTENSION *extendedRevocation = NULL; PKI_OCSP_RESP *r = NULL; if ( !resp || !resp->value || !cid ) return ( PKI_ERR ); @@ -204,11 +204,22 @@ int PKI_X509_OCSP_RESP_add ( PKI_X509_OCSP_RESP *resp, } } + if ((extendedRevocation = X509_EXTENSION_new()) == NULL) + { + PKI_log_err("Can't allocate memory for extended revocation extension."); + //ERR_print_errors_fp(stdout); + return PKI_ERR; + } + //As per RFC6960 set critical to 0 and the OID to id-pkix-ocsp-extended-revoke and value to NULL //We specify NID_id_pkix_OCSP_valid due to an error in OpenSSL's code, see http://marc.info/?l=openssl-users&m=138573884214852&w=2 - if (!OCSP_SINGLERESP_add1_ext_i2d(single, - NID_id_pkix_OCSP_valid, "", 0 ,0)) + extendedRevocation->critical = 0; + extendedRevocation->object = OBJ_nid2obj(NID_id_pkix_OCSP_valid); + extendedRevocation->value = ASN1_OCTET_STRING_new(); + //This extension goes to responseExtensions and not singleExtensions like invalidityDate + if (!OCSP_BASICRESP_add_ext(r->bs, extendedRevocation, -1)) { PKI_log_err("Can not create \"id-pkix-ocsp-extended-revoke\" extension entry for response!"); + //ERR_print_errors_fp(stdout); return PKI_ERR; }